2. Overview of vFabric ERS

vFabric Enterprise Ready Server (ERS) is the most comprehensive and widely distributed solution for Apache HTTP Server and Apache Tomcat Application Server management.

ERS provides the following mission-critical benefits to Apache HTTP Server and Apache Tomcat environments:

2.1. ERS 4.0.3 SP2 Patch: Description and Installation Instructions

This section is for users who have already installed ERS 4.0.3 but now want to apply the SP2 patch, which updates some components and fixes a number of security vulnerabilities.

Important: The SP2 patch includes all changes originally published in the SP1 patch. This means that it is not necessary to apply SP1 first.

ERS 4.0.3 SP2 updates the following component:

  • All: OpenSSL 0.9.8t

  • All: libapr 1.4.5 and libaprutil 1.3.12 for httpd-2.2.17

  • Unix: httpsd.worker and httpsd.prefork for apache-2.2.17

  • Unix: mod_proxy_ajp.so for apache-2.2.17

  • Windows: httpsd.exe for apache-2.2.17

  • Windows: mod_proxy_ajp.so, mod_info.so, mod_unique_id.so, and mod_ftp.so for apache-2.2.17

The preceding information applies to httpd 2.2. Because httpd 1.3 and 2.0 are at their end of life, and the fixed issues in 2.2 were of low priority, 1.3 and 2.0 were not updated. If you are using httpd 1.3 or 2.0, VMware recommends that you migrate to httpd 2.2 to mitigate these issues.

Note about Windows: Apache 2.2.17 in ERS 4.0.3 originally shipped with only IPv4 enabled. All other platforms correctly supported IPv6. For Windows, 4.0.3 SP2 updates libapr-1.dll, libhttpd.dll and several other modules to support IPv6 as designed. Any third party module sensitive to the specific level of TCP support may require recompilation, although most modules do not need to be updated. The affected modules which are updated on Windows only include mod_info.so, mod_unique_id.so and mod_ftp.so.

How to Apply the 4.0.3 SP2 Patch

Important: The SP2 patch includes all changes originally published in the SP1 patch. This means that it is not necessary to apply SP1 first. Do not overwrite an installation patched with SP2 with either the original or SP1 product, doing so will revert the fixes from the SP2 package.

To apply the 4.0.3 SP2 patch to an existing 4.0.3 installation, follow these steps:

  1. Download the ERS 4.0.3 SP2 patch from the VMware Download Center.

    The ERS 4.0.3 SP2 package name on Unix is ers-4.0.3-patch-apache-2.2.17-sp2-platform.zip.sfx, where platform refers to a particular Unix platform. On Windows it is ers-4.0.3-patch-apache-2.2.17-sp2-x86-winnt.zip.exe.

  2. Open a command prompt or terminal window and stop any running ERS httpd instances. See Starting and Stopping ERS httpd Instances.

  3. Optionally backup the existing ERS-ROOT/apache2.X directories. For example, on Linux, if the ERS root is /opt/ers:

    prompt$ cd /opt/ers
    prompt$ cp -r apache2.2 apache2.2.original
    prompt$ cp -r apache2.2-64 apache2.2-64.original
  4. Copy the 4.0.3 SP2 package to the ERS root directory. For example, if you downloaded the file in your home directory on Linux:

    prompt$ cp ~/ers-4.0.3-patch-apache-2.2.17-sp2-platform.zip.sfx .
  5. If necessary, change the file mode to make it executable.:

    prompt$ chmod u+x ers-4.0.3-patch-apache-2.2.17-sp2-platform.zip.sfx
  6. Invoke the file to self-extract the contents:

    prompt$ ./ers-4.0.3-patch-apache-2.2.17-sp2-platform.zip.sfx

    The archive unpacks all patch files into the current directory.

  7. Start your existing ERS httpd instances. See Starting and Stopping ERS httpd Instances.

Security Vulnerabilities Fixed in 4.0.3 SP2

The following table describes the security vulnerabilities fixed in the 4.0.3 SP2 patch release.

Table 2.1. Security Fixes in 4.0.3 SP2

Security FixSeverityDescription
mod_setenvif.htaccess privilege escalation (CVE-2011-3607)Low

An integer overflow flaw was found which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file.

Resolved with 2.2.22

mod_proxy reverse proxy exposure (CVE-2011-4317)Moderate

An additional exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal Web servers not directly accessible to the attacker.

Resolved with 2.2.22.

Uninitialized SSL 3.0 Padding (CVE-2011-4576)Low

OpenSSL (prior to version 0.9.8s) failed to clear the bytes used as block cipher padding in SSL 3.0 records. This affects both clients and servers (httpd proxy connections to a backend, and connections from a client) that accept SSL 3.0 handshakes: those that call SSL_CTX_new with SSLv3_{server|client}method or SSLv23{server|client}_method. It does not affect TLS. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory.

The httpd server does not use SSL_MODE_RELEASE_BUFFERS and therefore has only a single write buffer per connection. That write buffer is partially filled with non-sensitive, handshake data at the beginning of the connection and, thereafter, only records which are longer any any previously sent record leak any non-encrypted data. This, combined with the small number of bytes leaked per record, serves to limit to severity of this issue.

Fixed in OpenSSL 0.9.8s.

mod_log_config crash (CVE-2012-0021)Low

A flaw was found in mod_log_config. If the '%{cookiename}C' log format string is in use, a remote attacker could send a specific cookie causing a crash. This crash would only be a denial of service if using a threaded MPM.

Resolved with 2.2.22.

Scoreboard parent DoS (CVE-2012-0031)Low

A flaw was found in the handling of the scoreboard. An unprivileged child process could cause the parent process to crash at shutdown rather than terminate cleanly.

Resolved with 2.2.22.

Error responses can expose cookies (CVE-2012-0053)Moderate

A flaw was found in the default error response for status code 400. This flaw could be used by an attacker to expose "httpOnly" cookies when no custom ErrorDocument is specified.

Resolved with 2.2.22.

Insecure LD_LIBRARY_PATH handling (CVE-2012-0883)Low

When merging the apache-2.2/lib product path to an empty LD_LIBRARY_PATH, the administrator could inadvertently cause the current working directory to be searched for DSOs. This could lead to executing user code as root, if an administrator runs apache-startup.sh from an untrusted directory.

Resolved after 2.2.22.